Cyberattacks: Must-haves for a Crisis Communication Plan

This spring, the second-largest telecommunications company in the United States, AT&T, fell victim to cyberattacks, twice. These breaches led to hackers accessing call records and messages from over 100 million people. At first, the company concealed information about the data breach, but once it became public, AT&T’s stock value dropped—potential losses were estimated at $43-90 million—and the company faced widespread criticism in both the media and on social networks.

This incident highlights that even the largest and most secure corporations are vulnerable to cyberattacks. 

Ukraine has learned this lesson like no other. In 2023, government organizations, critical infrastructure and companies faced over 2,500 major cyberattacks—an average of nearly eight per day. The country has become a primary target for hackers from Russia, which confidently leads the global “Cybercrime Index.” Recently, Ukraine’s experience laid the foundation for the Trident cyber training program by the U.S. Cyber Ranges.

Concealing a cyber incident not only demonstrates a company’s unpreparedness for crises, but also damages its reputation and leads to significant long-term financial losses. Instead, consistent and transparent communication can mitigate losses, preserve reputation and maintain customer loyalty. This is why every company should include a cyber incident communication plan in its crisis strategy.

In 2024, the average data breach cost victim organizations a record-high $4.88 million, according to an IBM report. Meanwhile, the number of cyberattacks increased by 72% from 2021 to 2023. When a crisis unfolds and users’ personal data is at risk to be compromised, companies cannot afford to waste time deliberating their next communication steps. Preparing for cyber incidents in advance is essential, and the communications team must be an integral part of the crisis plan.

What Should a Cyberattack Crisis Communications Plan Consist Of?
Precise Notification Protocols

It is crucial to take the following steps in advance:

• Set up a dedicated cross-functional cyber crisis comms team (including top management, legal, PR, cybersecurity and tech experts) with clear roles and responsibilities. 
• Identify the spokespersons: determine who will publicly represent the company during a crisis, provide comments to the media, and updates to the stakeholders.

A good example of effective crisis communication is last year’s incident involving CrowdStrike. Ironically, the cybersecurity firm released a system update on July 19, 2024, that contained a bug for Windows. It took down approximately 8,5 million Windows machines worldwide, including those in hospitals, airports and train stations. In the U.S., all flights were temporarily grounded.

CrowdStrike’s CEO, George Kurtz, communicated regularly with users on X (formerly known as Twitter) during the crisis and published a detailed incident analysis the next day. Even with only 47,000 subscribers, his timely posts on the crisis stretched from one to 10 million views.

However, the company later came under fire for offering affected users $10 Uber Eats gift cards as compensation.. So here’s the takeaway: no matter how severe the crisis was, compensation must be proportionate to the damage caused.

• Understand who needs to be informed at each stage of the incident and establish timelines. A cyber crisis is a situation in which you do not want to end up in reactive mode, trying to manage speculation from customers or circulating in the news and social media. If the company doesn’t release its position first, it will waste time combating guesses and accusations.
• Draft messages for internal and external stakeholders, including updates for company leadership and public statements in case of escalation

I suggest using the Krebs Framework:

• Tell the public what is known (do not limit information to “control panic”).
• Tell the public what is unknown yet. Communicate regularly and provide timely updates.
• Advise stakeholders on how to protect themselves and explain what the company is doing.
• Explain when and where more information will be available, but avoid overpromising.

Defined Tools and Communication Channels

During a cyberattack, usual communication channels may be down or compromised. Gaining access to corporate email or Slack could allow attackers to monitor your actions, while websites and other company platforms may go offline.

Thus, an organization should determine which tools and channels will be used for different crisis scenarios, such as secure messengers or emergency hotlines. Ensuring secure communication is crucial when handling personal data or other sensitive information.

For instance, T-Mobile, after a massive data breach in 2023, used email, its mobile app, website and media comments to communicate crisis updates and action plans. Security specialists proactively reset passwords and PIN codes for affected customers, provided emergency hotlines and credit bureau contacts for fraud reports, and offered two years of free personal data protection services. While T-Mobile couldn’t avoid investigations and fines, these measures helped protect customers, maintain their loyalty, and demonstrate the company’s commitment to their security.

Regular Crisis Communication Drills

Discovering vulnerabilities in a crisis plan in the midst of a cyberincident is a losing bet. Communication drills with crisis simulations are the best way to ensure that every member of the crisis response team understands their roles and responsibilities, that all the actions are coordinated, and that stakeholders can be reached through alternative communication channels.

Post-Crisis Communication

When the crisis is over,  it’s tempting to take a break and skip post-crisis communication. This is a common mistake, with many companies concluding their crisis communication with a simple “our services are restored, you can use them.” While this might be enough for minor crises, it’s still better to inform stakeholders about outcomes and lessons learned. This could involve preparing a detailed report for the board, an internal report for the team, and public statements to reassure clients and partners.

The Challenges of Crisis Communication During Cyberattacks

Handling communication during a cyberattack is a challenging task, even for experienced professionals. Usual communication channels may be down, and the consequences of such crises affect all stakeholders—from employees to users and investors.

The importance of preparedness for cyber incidents is already recognized in the European Union. Starting January 2025, the Digital Operational Resilience Act (DORA) will require financial institutions and their IT service providers to have a crisis communication plan. In Ukraine, this remains at the discretion of companies, but experience shows that cyberattacks are inevitable. However, proper preparation to communicate during the cyber incidents can help companies reduce financial and reputational losses, and even improve customer loyalty.

Julia Petryk is CEO and Co-founder of Ukranian-based Calibrated.

This article was originally published by a www.prnewsonline.com . Read the Original article here. .